Comment by notpushkin
4 days ago
Whoa!
Completely unrelated but somehow unsurprising:
Zero-day CSS: CVE-2026-2441 exists in the wild - https://news.ycombinator.com/item?id=47062748 - February 2026 (233 comments)
4 days ago
Whoa!
Completely unrelated but somehow unsurprising:
Zero-day CSS: CVE-2026-2441 exists in the wild - https://news.ycombinator.com/item?id=47062748 - February 2026 (233 comments)
I do actually have a CSS CVE[0] in Chrome, but it was in the changelog as "in Animation" instead of "in CSS", so no fun stories/headlines for me :c
[0] https://chromereleases.googleblog.com/2025/06/stable-channel...
Wait, does it mean you can commit actual CSS crimes now?
That was in the C++ implementation of the CSS interface that gets exposed to JS, though, there wasn't an exploit from CSS.
I don't think it's that unrelated. If you make a system way more complex than it should be (clearly the case with CSS) it's obvious the risk of vulnerabilities increases exponentially.